Way back before IE7 with “low rights IE” and its other improvements, Microsoft shipped IE6 for Windows Server 2003 in Enhanced Security Configuration. We’re now getting ready for Windows Vista and Longhorn Server is on the horizon as well and I decided to look at how much the Enhanced Security Configuration (ESC) had benefitted customer security, if at all.
Immediately, security professionals are going to say that you shouldn’t be browsing from servers anyway – and I agree. From a security perspective, I’d always recommend treating your server like a server and having a separate workstation if you need to browse, download, etc. That’s a best practice – let your database or web server do its thing – you can’t be lured to a malicious web site if you are not browsing from the machine at all.
Practically, even for admins that might ignore this best practice, their servers still tend to follow it. Say they have a server farm of 100 web servers, even if they use one as a temporary workstation now and then, they will not be using the other 99 in that way and putting them at risk.
You might say this is beside the point, with respect to IE ESC, because if the browser isn’t being used, then the protections don’t matter very much. So, assuming that admins may browse occasionally from a server, has the ESC benefitted them?
I went through every Security Bulletin since Windows Server 2003 shipped and examined every issue affecting IE6. For each of the vulnerabilities, I checked to see if it was exploitable in the Enhanced Security Configuration. What I found was that IE ESC mitigates 61% of those vulnerabilities, so that they can not be exploited.
I expect significantly more of IE7, given how much the IE team has focused on improving security quality and architecture for the next release, but 61% mitigation is a pretty effective security improvement brought about by implementing the “secure by default” philosophy in configuring the default settings for IE on the server.